Apache2 反向代理，通过 OpenID Connect 进行身份验证并通过 ldap 进行授权 [英] Apache2 Reverse Proxy with authentication over OpenID Connect and authorization over ldap

问题描述

我正在尝试设置需要针对 OpenID Connect 身份提供商进行身份验证的反向代理.

I'm trying to setup a reverse proxy that requires authentication against an OpenID Connect Identity Provider.

然后用户授予反向代理访问他的数据的权限.

The User then grants the reverse proxy access to his data.

只有用户是特定 LDAP 组的成员才能访问代理背后的某些应用程序.遗憾的是，应用程序是转储文件，无法自行授权，因此反向代理必须处理该部分.

Some applications behind the proxy are only accessible by the user if he is the member of specific LDAP groups. Sadly the applications are the dump and cannot authorize themselves, so the reverse proxy must handle that part.

使用 mod_auth_openidc 设置身份验证部分并不难.我遇到的困难是授权部分.我有一个 mod_authnz_ldap 的工作示例，它需要用户名和密码超过BasicAuth.

It wasn't so hard to setup the authentication part with mod_auth_openidc. What I struggle with is the authorization part. I have a working example with mod_authnz_ldap that requires username and password over BasicAuth.

OpenID Connect 的想法是资源服务器(在我的例子中是代理)永远不会知道用户的密码，也不必检查它.这被委托给 OpenID Connect 身份提供者.

The idea with OpenID Connect is that Resource Server (the proxy in my case) will never know the user's password and does not have to check it. That is delegated to the OpenID Connect Identity Provider.

所以我没有这种方法所需的密码.我的想法是创建一个带有 oidc auth 的虚拟主机，它拒绝来自客户端的诸如 x-my-oidc-username 之类的标头，一旦经过身份验证就设置此标头并将请求传递给 上的另一个 vhost 绑定127.0.0.1 因此无法绕过身份验证直接访问.该虚拟主机仅将标头作为经过身份验证的用户名并运行 LDAP 授权.

So I don't have the password needed for this approach. My idea was to create a virtual host with oidc auth that refuses some header like x-my-oidc-username from clients, sets this header once authenticated and passes the request to another vhost binding on 127.0.0.1 so it cannot be accessed directly bypassing authentication. That vhost just takes the header as the authenticated username and runs the LDAP authorization.

我还没有看到跳过身份验证阶段的方法 ldap 模块，并从其他地方获取用户名，例如 OpenID Connect ID 令牌或我的自定义标头.

I haven't seen a way to just skip the Authentication Phase of the ldap module and take the username from somewhere else like the OpenID Connect ID Token or from my custom header.

任何想法/建议/方法/技巧?

Any ideas/suggestions/approaches/tips?

推荐答案

有一篇文章展示了如何结合 mod_auth_openidc 和 mod_authnz_ldap 在这里:https://github.com/pingidentity/mod_auth_openidc/wiki/Authorization#2-mod_authnz_ldap:

There's an article that shows how to combine mod_auth_openidc and mod_authnz_ldap here: https://github.com/pingidentity/mod_auth_openidc/wiki/Authorization#2-mod_authnz_ldap:

OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <client_id>
OIDCClientSecret <client_secret>
OIDCRedirectURI http://example.com/example/redirect_uri
OIDCScope "openid email profile"

# Set REMOTE_USER to the email address.
# this is the value that mod_authnz_ldap leverages as the first parameter after basedn. 
# in the example below, REMOTE_USER = email = mail attribute in LDAP.

OIDCRemoteUserClaim email
<Location /example/>
  AuthType openid-connect
  AuthLDAPURL "ldap://example.com/ou=people,dc=example,dc=com?mail?sub?(objectClass=*)"
  AuthLDAPGroupAttribute member
  Require ldap-group cn=myTestAccesss,ou=Groups,dc=example,dc=com
</Location>

这篇关于Apache2 反向代理，通过 OpenID Connect 进行身份验证并通过 ldap 进行授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！